b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                Inappropriate Use of Email by Employees and\n                     System Configuration Management\n                  Weaknesses Are Creating Security Risks\n\n\n\n                                           July 31, 2006\n\n                              Reference Number: 2006-20-110\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n Phone Number | 202-927-7037\n Email Address | Bonnie.Heald@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                  DEPARTMENT OF THE TREASURY\n                                                        WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                                   July 31, 2006\n\n\n MEMORANDUM FOR CHIEF INFORMATION OFFICER\n                CHIEF, MISSION ASSURANCE AND SECURITY SERVICES\n\n FROM:                         Michael R. Phillips\n                               Deputy Inspector General for Audit\n\n SUBJECT:                      Final Audit Report \xe2\x80\x93 Inappropriate Use of Email by Employees and\n                               System Configuration Management Weaknesses Are Creating Security\n                               Risks (Audit # 200520032)\n\n This report presents the results of our review to determine whether the Internal Revenue\n Service\xe2\x80\x99s (IRS) electronic mail (email) system was being used properly by employees and was\n secured by system administrators.\n\n Synopsis\n Email allows an organization and its employees to better communicate with each other,\n customers, and business partners. The risk of computer viruses,1 however, has prompted the IRS\n to screen for questionable incoming emails, issue a personal\n use policy2 on what an employee can and cannot do with\n email, and conduct awareness training to all employees on       Employees are not following\n the importance of complying with the email use policy.         the IRS email use policy, and\n                                                                 unsecured and unauthorized\n While these efforts established a good foundation for email     email servers are putting the\n security, employees are not following the IRS\xe2\x80\x99 personal           internal network at risk.\n email use policy. In addition, the IRS has unsecured and\n\n\n 1\n   A computer virus is a piece of programming code that is buried in an existing program and, when executed by the\n victim, can cause some unexpected and undesirable events. One of the fastest spreading computer viruses was the\n Love Letter virus, which was sent via email with \xe2\x80\x9cI LOVE YOU\xe2\x80\x9d in the subject field. This virus replicated itself to\n everyone in the user\xe2\x80\x99s Microsoft Outlook address book, then destroyed local files.\n 2\n   IRS Policy on Limited Personal Use of Government Information Technology Equipment/Resources,\n dated May 3, 2002.\n\x0c                           Inappropriate Use of Email by Employees and System\n                                 Configuration Management Weaknesses\n                                        Are Creating Security Risks\n\n\nunauthorized email servers3 on its computer network. As a result, the IRS\xe2\x80\x99 internal network, its\ncomputers, and the data maintained on the network could be at risk of being compromised,\ndestroyed, or shutdown.\n    \xe2\x80\xa2    IRS employees are violating provisions of the\n         personal use policy with their email usage.                          We found 71 (74 percent) of\n         Specifically, we found inappropriate email messages                  96 employees had in their\n         in 74 percent of the employee mailboxes reviewed.                    electronic mailboxes email\n         These inappropriate email messages contained chain                   messages that violated the\n                                                                               IRS\xe2\x80\x99 personal use policy.\n         letters, jokes, offensive content, and sexually explicit\n         content.\n         The IRS\xe2\x80\x99 personal use policy protects the organization from employee actions that might\n         harm or bring unnecessary risk to the organization. For example, hackers have designed\n         email messages containing computer viruses to entice recipients to open them because of\n         their interesting subject lines. Opening these types of emails can activate the computer\n         virus, which in turn could destroy data on computers, enable the hacker to gain\n         unauthorized access to the computer and any sensitive information stored on the\n         computer, and disrupt email and computer operations. While the IRS has conducted\n         awareness presentations and distributed communications to encourage employees to\n         comply with its personal use policy, it does not effectively monitor the email of its\n         employees to ensure compliance with the policy.\n    \xe2\x80\xa2    Email servers, like any other computer component, can be vulnerable to computer attacks\n         (e.g., denials of service4 or buffer overflows5) and need to be properly secured and\n         maintained. The IRS maintains 228 authorized email servers to support its email\n         operations. To evaluate the security over email servers, we selected a judgmental sample\n         of 28 email servers and found 687 security vulnerabilities on all 28 servers. People can\n         exploit security vulnerabilities to shut down the servers and disrupt email service or to\n         use the servers to access or attack other computers in the network, which could disrupt\n         other critical operations in the IRS.\nIn addition, the IRS should limit the number of email servers needed for its email operations to\nthe minimum needed. Aside from the 228 email servers cited above, we identified an additional\n\n\n\n\n3\n  An email server is a computer that receives email messages and stores messages in the recipient\xe2\x80\x99s electronic\nmailbox on the computer.\n4\n  Denial of service attacks inundate a computer system or network with traffic that overloads the system resources,\ncausing them to cease operations or lose network connectivity.\n5\n  Buffer overflows occur when a user inputs unexpected data to predefined fields that a program is not designed to\nhandle. This situation can cause the program to run supplemental instructions by the user or to cease operation.\n                                                                                                                      2\n\x0c                           Inappropriate Use of Email by Employees and System\n                                 Configuration Management Weaknesses\n                                        Are Creating Security Risks\n\n\n4,913 Internet Protocol6 addresses with devices/servers that have been configured to operate as\nunauthorized email servers. Any email received through unauthorized email servers would\ncircumvent the security screening established to identify malicious software. If the email\ncontains a computer virus, it could infect the computer as well as the computer network. To\nevaluate the security of these servers, we selected a sample of 30 and found 363 security\nvulnerabilities on all 30 computers.\nSecurity vulnerabilities can be exploited to shut down the server and disrupt all other functions\nof these servers, or use the server to access or attack other computers in the network, which\ncould disrupt other critical operations in the IRS. The majority of the security vulnerabilities on\nthe email servers cited above occurred because system administrators had not installed current\nsecurity patches7 to the email servers.\n\nRecommendations\nThe Chief, Mission Assurance and Security Services, should continue to emphasize the risks\nassociated with inappropriate email use and consider implementing a program of monitoring\nemail message content, which could subsequently increase the number of employees disciplined\nfor abusing their email privileges. The Chief Information Officer should ensure existing\nprocedures are followed to install security updates and patches on all email servers and hold\nsystem administrators accountable for ensuring only authorized computers are enabled to\nperform as email servers.\n\nResponse\nIRS management agreed with all four of our recommendations. The Chief, Mission Assurance\nand Security Services, will consider a program to monitor email message content and will also\nadd reminders to existing security awareness training that disciplinary actions have been and will\nbe taken against employees for email abuse. In addition, the Chief Information Officer will hold\nsystem administrators accountable for ensuring only authorized computers are enabled to\nperform as email servers and existing procedures are followed to install security updates and\npatches on all email servers. Management\xe2\x80\x99s complete response to the draft report is included as\nAppendix IV.\n\n\n\n\n6\n  An Internet Protocol address is a unique identifier that devices such as routers, computers, servers, and printers use\nto identify and communicate with each other on a computer network. The 4,913 Internet Protocol addresses were\nconnected to systems configured to route email.\n7\n  A patch is a fix to a program as a result of a design flaw in the program. Patches must be installed or applied to the\napplicable computer to correct the flaw.\n                                                                                                                      3\n\x0c                     Inappropriate Use of Email by Employees and System\n                           Configuration Management Weaknesses\n                                  Are Creating Security Risks\n\n\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs) at\n(202) 622-8510.\n\n\n\n\n                                                                                            4\n\x0c                              Inappropriate Use of Email by Employees and System\n                                    Configuration Management Weaknesses\n                                           Are Creating Security Risks\n\n\n\n\n                                            Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          Employees Are Not Following the Personal Use Policy ..............................Page 3\n                    Recommendations 1 and 2: ................................................Page 5\n\n          Unsecured and Unauthorized Email Servers Are Putting\n          the Internal Network at Risk .........................................................................Page 5\n                    Recommendations 3 and 4: ................................................Page 7\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 9\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 11\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 12\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 13\n\x0c        Inappropriate Use of Email by Employees and System\n              Configuration Management Weaknesses\n                     Are Creating Security Risks\n\n\n\n\n                   Abbreviations\n\nEmail          Electronic mail\nIRS            Internal Revenue Service\n\x0c                          Inappropriate Use of Email by Employees and System\n                                Configuration Management Weaknesses\n                                       Are Creating Security Risks\n\n\n\n\n                                            Background\n\nElectronic mail (email) is a form of electronic messaging and is a widely used method of\ntransporting messages across the Internet. The Internal Revenue Service (IRS) relies on email as\na method of communication within the organization as well as with external sources for business\npurposes. Email often replaces memoranda, meetings, and telephone conversations.\nEmail, however, also presents one of the highest security risks to computer networks. For\nexample, most computer viruses are presently spread through email attachments. A computer\nvirus is a piece of programming code that is buried in an existing program or file and, when\nexecuted by the victim, can cause some unexpected and undesirable events. Computer viruses\ncan destroy data on computers, disrupt computer operations, and degrade network performance.1\nAs such, it is critical to maintain controls over email use as well as the computer hardware and\nsoftware installed to support email operations.\nIn November 2000, we reported there was strong evidence that IRS employee use of email for\nnonbusiness purposes was significant.2 In May 2002, given the rapidly expanding use of the\nInternet and email as today\xe2\x80\x99s primary sources of information and personal communication, the\nIRS implemented a limited personal use policy for the Internet, email, and other equipment and\nresources.3 The IRS policy cautions employees to conduct themselves professionally in the\nworkplace and to refrain from using Federal Government information technology equipment and\nresources for activities that are inappropriate based on established standards of conduct. The IRS\nconsiders email as inappropriate if it contains large, nonbusiness file attachments; chain letters;\njokes; material that is offensive to other employees; or sexually oriented material. Email\npertaining to illegal activities and other prohibited outside activities, such as running a business,\nfundraising, or restricted political activity, is also considered inappropriate.\nAs another means to protect itself from incoming emails, the IRS uses software to screen for\nviruses and other malicious programs that may be hidden in email messages entering the IRS\nnetwork via the Internet. In addition, it has implemented technical controls to protect its email\nservers from potential email threats. An email server is a computer that receives email and stores\nit in the recipient\xe2\x80\x99s electronic mailbox. To access the mailbox and read the email, a recipient\n\n\n1\n  One of the fastest spreading computer viruses was the Love Letter virus, which was sent via email with \xe2\x80\x9cI LOVE\nYOU\xe2\x80\x9d in the subject field. This virus replicated itself to everyone in the user\xe2\x80\x99s Microsoft Outlook address book,\nthen destroyed local files.\n2\n  Management Should Take Action to Address Employees\xe2\x80\x99 Personal Use of Email (Reference Number 2001-20-017,\ndated November 2000).\n3\n  IRS Policy on Limited Personal Use of Government Information Technology Equipment/Resources,\ndated May 3, 2002.\n                                                                                                         Page 1\n\x0c                      Inappropriate Use of Email by Employees and System\n                            Configuration Management Weaknesses\n                                   Are Creating Security Risks\n\n\n\nmust enter a logon name and a password. A large organization, such as the IRS, can use many\nemail servers to support its users.\nThis review was performed at the IRS National Headquarters in Washington, D.C., in the Office\nof the Chief Information Officer and the Chief, Mission Assurance and Security Services, during\nthe period August 2005 through February 2006. The audit was conducted in accordance with\nGovernment Auditing Standards. Detailed information on our audit objective, scope, and\nmethodology is presented in Appendix I. Major contributors to the report are listed in\nAppendix II.\n\n\n\n\n                                                                                        Page 2\n\x0c                          Inappropriate Use of Email by Employees and System\n                                Configuration Management Weaknesses\n                                       Are Creating Security Risks\n\n\n\n\n                                      Results of Review\n\nEmployees Are Not Following the Personal Use Policy\nSecurity software used by the IRS prevents many inappropriate messages from entering the IRS\nnetwork via the Internet. The IRS, however, cannot rely solely on this software. An email virus\nattack can spread worldwide in minutes, but it may take hours or days for antivirus software\nvendors to analyze, create, and distribute virus definition updates to protect systems against\npotential computer virus attacks. In addition to using security software, the IRS has conducted\nawareness presentations and distributed communications to encourage employees to comply with\nits email policy. Examples of these awareness efforts include the all-employee annual computer\nsecurity training modules and periodic communications via email (e.g., the IRS Headlines\nnewsletter).\nTo determine whether IRS employees were complying with the IRS\xe2\x80\x99 personal use policy, we\nselected a statistical sample of 96 employees from the\nIRS\xe2\x80\x99 list of email addresses and reviewed 46,551 emails       We found e-mail messages that\nreceived and sent by these employees during June through       violated the IRS\xe2\x80\x99 personal use\nAugust 2005. We found 2,576 messages in                             policy in the electronic\n                                                              mailboxes of 71 (74 percent) of\n71 (74 percent) of the 96 employee mailboxes that\n                                                                        96 employees.\nviolated the IRS\xe2\x80\x99 personal use policy. These employees\nhad from 1 to 288 inappropriate emails in their mailboxes.\nSpecifically, we found the following types of inappropriate emails:\n    \xe2\x80\xa2   Chain letters, jokes, and/or pictures accounted for 76 percent of the inappropriate emails.\n        The content is often considered harmless on its own; however, it is well known that these\n        messages present a security threat by being common carriers of malicious software.4\n    \xe2\x80\xa2   Emails containing content considered offensive according to IRS guidelines accounted\n        for 20 percent of the inappropriate emails. These emails contained hate speech and\n        material that ridiculed others on the basis of race, creed, religion, color, sex, disability,\n        national origin, or sexual orientation.\n    \xe2\x80\xa2   Emails containing sexually oriented content, prohibited activities, and/or large files\n        accounted for the remaining 4 percent of the inappropriate messages. Prohibited\n        activities include activities conducted for commercial purposes, in support of for-profit\n        activities, or in support of other outside employment.\n\n4\n Malicious software is designed to infiltrate or damage a computer system, without the owner\xe2\x80\x99s consent. It includes\ncomputer viruses, spyware, and adware.\n                                                                                                           Page 3\n\x0c                          Inappropriate Use of Email by Employees and System\n                                Configuration Management Weaknesses\n                                       Are Creating Security Risks\n\n\n\nFigure 1 summarizes these email policy violations by type.\n                            Figure 1: Email Policy Violations by Type\n\n                                 Chain Letters                                1,953\n\n                                 Offensive Content                            528\n                                 Sexually Oriented Content                     55\n                                 Prohibited Activities                         22\n                                 Large Files (graphics, video, sound, etc.)    18\n                                 TOTAL                                        2,576\n\n                              Source: Our analysis of a sample of IRS employees\xe2\x80\x99\n                              email messages.\n\nThe large number of inappropriate emails places the IRS network at risk. For example,\nmalicious software could be attached to these emails that could destroy data on the computer,\nenable unauthorized persons to access sensitive information, and disrupt computer operations by\ncausing a denial of service attack.5\nIn addition to the security risks, the performance and efficiency of the IRS\xe2\x80\x99 computing network\nis degraded by the number and size of inappropriate email messages. Many of the sampled\nmessages contained graphics, sound, video, and/or animations that significantly increased the\nsizes of the files. Inclusion of these unnecessary features in an email message often increases the\nmessage\xe2\x80\x99s size from 10 to 50 times the size of a normal text message, causing the system to\noperate slower and less efficiently, and creates the need for additional storage capacity that can\nbe costly.\nOffensive and inappropriate content in messages can also damage employee relationships and\nlead to adverse personnel actions or potential lawsuits. When forwarded to outside recipients,\nthese messages could also invite high-profile media attention, damaging the IRS\xe2\x80\x99 reputation.\nThe IRS\xe2\x80\x99 personal use policy protects the organization from employee actions that might harm or\nbring unnecessary risk to the organization. For example, hackers will craft email messages,\nwhich contain malicious software, designed to entice recipients to open them because of their\ninteresting subject lines. Opening these types of emails could activate the malicious software,\nwhich in turn could destroy data on computers, enable unauthorized persons access to sensitive\ninformation, and disrupt computer operations.\n\n\n\n5\n Denial of service attacks inundate a computer system or network with traffic that overloads the system resources,\ncausing them to cease operations or lose network connectivity.\n                                                                                                            Page 4\n\x0c                          Inappropriate Use of Email by Employees and System\n                                Configuration Management Weaknesses\n                                       Are Creating Security Risks\n\n\n\nThe IRS has not effectively monitored the email of its employees to ensure compliance with the\npolicy and has taken relatively few disciplinary actions. For Fiscal Years 2003 through 2005, the\nIRS disciplined only 283 employees for abuse of email privileges. Of the 283 employees,\n193 received written or oral counseling; 86 received formal disciplinary actions including\nadmonishments, reprimands, suspensions, and removal; and 4 resigned. One additional case was\nreferred to the Treasury Inspector General for Tax Administration Office of Investigations.\n\nRecommendations\nThe Chief, Mission Assurance and Security Services, should:\nRecommendation 1: Continue to emphasize the risks associated with inappropriate email\nuse. If reminders that disciplinary actions have been taken against employees for email abuse are\nadded to existing security awareness training, the number of violations may be reduced.\n        Management\xe2\x80\x99s Response: The IRS agreed with this recommendation and the Chief,\n        Mission Assurance and Security Services, will ensure inclusion of reminders that\n        disciplinary actions have been and will be taken against employees for email abuse in the\n        next update to the IRS\xe2\x80\x99 annual security awareness training.\nRecommendation 2: Consider implementing a program of monitoring email message\ncontent, which could subsequently increase the number of employees disciplined for abusing\ntheir email privileges. This approach will require a commitment of additional resources.\nHowever, considering the risks of subjecting the IRS network to malicious software, we believe\nthis commitment is necessary.\n        Management\xe2\x80\x99s Response: The IRS agreed with this recommendation and the Chief,\n        Mission Assurance and Security Services, will review the IRS policy on email content\n        monitoring and make a policy recommendation concerning a content monitoring\n        program.\n\nUnsecured and Unauthorized Email Servers Are Putting the Internal\nNetwork at Risk\nEmail servers, like any other computer component, can be vulnerable to many different types of\nattacks, such as denials of service or buffer overflows,6 that can lead to the compromise of a\nsingle server and even the entire network. The IRS could suffer unauthorized accesses to\nsensitive information and disruptions of computer operations. To reduce these risks, the IRS\nmust ensure the email servers are configured properly and limit the number of email servers to\nthe minimum needed to continue uninterrupted operations.\n\n6\n Buffer overflows occur when a user inputs unexpected data to pre-defined fields that a program is not designed to\nhandle. This situation can cause the program to run supplemental instructions by the user or to cease operation.\n                                                                                                           Page 5\n\x0c                           Inappropriate Use of Email by Employees and System\n                                 Configuration Management Weaknesses\n                                        Are Creating Security Risks\n\n\n\nAuthorized email servers contain security vulnerabilities\nThe IRS provided us with a list of 228 authorized email servers. We selected a judgmental\nsample of 28 of the authorized email servers and performed vulnerability scans using the Nessus7\nsecurity software. Our tests identified 687 security vulnerabilities. Of these, 250 (36 percent)\nwere identified as high risk.8 The other 437 security vulnerabilities were identified as medium\nand low risk.9 Security vulnerabilities were found on all 28 servers.\nThe majority of the security vulnerabilities occurred because system administrators had not\ninstalled current security updates and patches.10 Untimely installation of patches to existing\nemail servers increases the risk that the systems could be disrupted and vulnerable to new\nattacks.\nAll of the existing email servers were replaced during our review, as the IRS migrated all of its\nemail servers to Microsoft Exchange 2003. This migration, begun in August 2005, was\ncompleted in April 2006. We scanned 16 Microsoft Exchange 2003 email servers, as of\nDecember 2005, and found only minor security vulnerabilities. However, these servers will be\nsubject to the same weaknesses found on the servers that were replaced if system administrators\nare not diligent in installing security updates and patches as required.\n\nUnnecessary and unauthorized email servers existed on the IRS network\nWe scanned the entire IRS internal network to identify any computer configured to operate as an\nemail server. In addition to the 228 computers the IRS listed as \xe2\x80\x9cauthorized\xe2\x80\x9d email servers, our\nscan identified 4,913 Internet Protocol11 addresses with devices/servers that have been configured\nto operate as unauthorized email servers. Any emails received by unauthorized servers from\noutside the IRS network system circumvent the security software installed to screen for\nmalicious software, thus increasing the risk the IRS could suffer unauthorized accesses to\nsensitive information and disruptions of computer operations unnecessarily. These unauthorized\n\n\n\n7\n  Nessus is a vulnerability scanning program that identifies security vulnerabilities of the computer on which the\nprogram is run.\n8\n  High-risk vulnerabilities are those that are well known to hackers, are easily exploitable, and have the potential to\ncause significant damage (e.g., allow an unauthorized person to operate as the root user, giving him or her total\naccess and control of the computer).\n9\n  Medium-risk vulnerabilities are those that result in a security hole that can lead to privilege escalation; however, an\nattacker needs additional information or tools to exploit the vulnerability. Low-risk vulnerabilities can provide\ninformation to an attacker, but the vulnerability is not a threat in itself.\n10\n   A patch is a fix to a program as a result of a design flaw in the program. Patches must be installed or applied to\nthe applicable computer to correct the flaw.\n11\n   An Internet Protocol address is a unique identifier that devices such as routers, computers, servers, and printers\nuse in order to identify and communicate with each other on a computer network. The 4,913 Internet Protocol\naddresses we identified were connected to systems configured to route email.\n                                                                                                                Page 6\n\x0c                           Inappropriate Use of Email by Employees and System\n                                 Configuration Management Weaknesses\n                                        Are Creating Security Risks\n\n\n\nservers could also be used to send fictitious email that looks as if it came from a legitimate user\nand as a means to send spam12 mail.\nFrom a judgmental sample of 30 of the 4,913 unauthorized devices/servers, we identified\n363 security vulnerabilities (on all 30 computers) in the email server applications and the\noperating systems on which the email applications run. Of these, 149 (41 percent) were\nidentified as high-risk vulnerabilities. The other 214 security vulnerabilities were identified as\nmedium or low risk. The high-risk security vulnerabilities could cause a denial of service, cause\nbuffer overflows that could produce a program crash or erroneous results, or allow unauthorized\npersons to have access to the computer and possibly execute commands as if the user were the\nsystem administrator.\nSome portion of the 4,913 unauthorized email servers may be legitimate email servers without\nbeing classified as such on the IRS inventory. However, we believe most of the computers were\nlikely installed by the IRS with the default email capability set by the vendor of the operating\nsystem. The IRS configuration guide requires system administrators to suppress this capability\nwhen installing most operating systems, unless it is specifically needed. Due to the large number\nof unauthorized email servers identified, we believe system administrators did not comply with\nthese requirements. In addition, the IRS currently does not scan its network to identify and close\nunauthorized email servers.\n\nRecommendations\nThe Chief Information Officer should:\nRecommendation 3: Ensure existing procedures are followed to install security updates and\npatches on all email servers. Periodic scans should be conducted to determine whether the\nupdates and patches have been installed.\n         Management\xe2\x80\x99s Response: The IRS agreed with this recommendation and the\n         Director, Information Technology Infrastructure, in the Enterprise Operations\n         organization, will ensure local administrators run a program against all email servers that\n         will report any deficiencies in patches and security updates. To ensure all email servers\n         are addressed, the Director, Information Technology Infrastructure, will also work with\n         IRS Chief Counsel and Criminal Investigation functions to help them establish\n         procedures to install security updates and procedures.\nRecommendation 4: Hold system administrators accountable for ensuring only authorized\ncomputers are enabled to perform as email servers. Periodic scans should be conducted to\nidentify unauthorized servers and applications.\n\n\n12\n  Spam mail is unsolicited email sent indiscriminately to individuals, businesses, and multiple mailing lists; it is\noften referred to as junk email.\n                                                                                                                Page 7\n\x0c               Inappropriate Use of Email by Employees and System\n                     Configuration Management Weaknesses\n                            Are Creating Security Risks\n\n\n\nManagement\xe2\x80\x99s Response: The IRS agreed with this recommendation and the\nAssistant Chief Information Officer, Enterprise Operations, will review servers to\ndetermine their status and identify any unauthorized email servers. If an email server is\nnot authorized, the capability will be disabled unless a business case is approved using a\nwaiver.\n\n\n\n\n                                                                                    Page 8\n\x0c                           Inappropriate Use of Email by Employees and System\n                                 Configuration Management Weaknesses\n                                        Are Creating Security Risks\n\n\n\n                                                                                                    Appendix I\n\n          Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the IRS email system was being\nused properly by employees and was secured by system administrators. Specifically, we:\nI.       Determined whether employees were complying with the IRS Policy on Limited Personal\n         Use of Government Information Technology Equipment/Resources (personal use policy)\n         dated May 3, 2002, regarding email.\n         A. Reviewed the personal use policy as it relates to email and determined whether IRS\n            employees were aware of existing guidance and policy by reviewing the training,\n            procedures, and policies provided to employees on the use of email.\n         B. Determined the number of adverse actions taken against IRS employees for violating\n            email guidance and policy for Fiscal Years 2003 through 2005.\n         C. Selected a random sample of 96 mailboxes from the IRS\xe2\x80\x99 Global Address List in\n            Outlook. As of August 1, 2005, the Global Address List had approximately\n            87,000 users. We selected a statistical (attribute) sample using a 95 percent\n            confidence level, an expected error rate of 50 percent, and a precision of +10 percent.\n         D. Reviewed the sample of 96 mailboxes for messages received and sent during June\n            through August 2005 to determine whether IRS employees were using email in\n            compliance with the IRS\xe2\x80\x99 personal use policy.\nII.      Determined whether the IRS implemented adequate controls to ensure the email system\n         was secure and malicious content was not delivered to the end user.\n         A. Determine whether the email servers were configured securely.\n             1. Obtained from IRS management a list of 228 authorized Secure Enterprise\n                Messaging Systems email servers, including those mail servers that support the\n                IRS Office of Chief Counsel.\n             2. Conducted a Network MAPper1 scan of the IRS network to identify computers\n                with open ports indicating the potential that an email server was installed on those\n                computers.\n\n\n1\n This is free security scanner software that can identify certain attributes of the computer against which it is run.\nThese attributes include the operating system and version being used, the ports that are open, and the services being\noffered.\n                                                                                                              Page 9\n\x0c                           Inappropriate Use of Email by Employees and System\n                                 Configuration Management Weaknesses\n                                        Are Creating Security Risks\n\n\n\n             3. Reviewed for vulnerabilities a judgmental sample of 30 email servers that were\n                not a part of the 228 authorized email servers identified in Step II.A.1. Our port\n                scanning identified 4,913 computers that were not included in the list of\n                authorized email servers. We used a judgmental sample because we did not plan\n                to project the results.\n             4. Performed security testing on a judgmental sample of 28 of the 228 authorized\n                Secure Enterprise Messaging System mail servers that had not migrated to\n                Microsoft Exchange 2003.\n                  a. Used the Nessus vulnerability scanner to identify potential vulnerabilities on\n                     the selected servers.\n                  b. Determined whether all operating system and application patches had been\n                     installed or mitigating controls had been implemented.\n             5. Performed security testing on a judgmental sample of 30 email servers that were\n                upgraded or replaced during the Microsoft Exchange 2003 migration. We used\n                automated tools such as the Nessus vulnerability scanner and the Microsoft\n                Baseline Security Analyzer2 to identify potential vulnerabilities (including\n                missing operating system and application patches) in the operating system and\n                mail application configurations.\n         B. Determined whether the IRS actively scanned incoming email for malicious content\n            (e.g., email viruses).\n             1. Reviewed the rules used to identify malicious content and what types of\n                attachments are allowed.\n             2. Determined how often the rules are modified and how often the scanner or\n                antivirus software is updated.\n             3. Reviewed the process by which spam3 and other bulk email is handled.\n         C. Determined whether the IRS provided its email system administrators sufficient and\n            ongoing training on the email server applications being used by reviewing the training\n            records over the last 2 fiscal years for the email administrators responsible for the\n            authorized email servers.\n\n\n\n\n2\n  This is a Microsoft Corporation tool designed to determine the security state of a computer running the Microsoft\noperating system and to detect common security misconfigurations and missing security updates.\n3\n  Spam mail is unsolicited email sent indiscriminately to individuals, businesses, and multiple mailing lists; it is\noften referred to as junk email.\n                                                                                                            Page 10\n\x0c                     Inappropriate Use of Email by Employees and System\n                           Configuration Management Weaknesses\n                                  Are Creating Security Risks\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nSteve Mullins, Director\nKent Sagara, Acting Director\nThomas Polsfoot, Audit Manager\nDan Ardeleano, Senior Auditor\nDavid Brown, Senior Auditor\nGeorge Franklin, Senior Auditor\nLarry Reimer, Senior Auditor\nEsther Wilson, Senior Auditor\n\n\n\n\n                                                                                     Page 11\n\x0c                    Inappropriate Use of Email by Employees and System\n                          Configuration Management Weaknesses\n                                 Are Creating Security Risks\n\n\n\n                                                                 Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Management Controls OS:CFO:AR:M\nAudit Liaisons:\n       Chief Information Officer OS:CIO\n       Chief, Mission Assurance and Security Services OS:MA\n\n\n\n\n                                                                         Page 12\n\x0c     Inappropriate Use of Email by Employees and System\n           Configuration Management Weaknesses\n                  Are Creating Security Risks\n\n\n\n                                                Appendix IV\n\nManagement\xe2\x80\x99s Response to Draft Report\n\n\n\n\n                                                          Page 13\n\x0cInappropriate Use of Email by Employees and System\n      Configuration Management Weaknesses\n             Are Creating Security Risks\n\n\n\n\n                                                     Page 14\n\x0cInappropriate Use of Email by Employees and System\n      Configuration Management Weaknesses\n             Are Creating Security Risks\n\n\n\n\n                                                     Page 15\n\x0cInappropriate Use of Email by Employees and System\n      Configuration Management Weaknesses\n             Are Creating Security Risks\n\n\n\n\n                                                     Page 16\n\x0cInappropriate Use of Email by Employees and System\n      Configuration Management Weaknesses\n             Are Creating Security Risks\n\n\n\n\n                                                     Page 17\n\x0c'